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CLAIM AMENDMENTS 

The following is a complete listing of the pending claims: 

1 . (currently amended) A block-level storage device, comprising: 
a storage medium; and 

a storage engine, the storage engine being configured to generate a secure session 
key and to receive a block of encrypted content and its corresponding encrypted content 
key from a host system, wherein the content key has been encrypted by the host system 
using the secure session key, the storage engine being further configured to decrypt the 
encrypted content key using the secure session key and to encrypt the decrypted content 
key with a first storage engine encryption key and to write the first- storage-engine- 
encrypted content key to the storage medium. 

2. (original) The block-level storage device of claim 1 , wherein the storage 
engine is further configured to generate the secure session key in response to verifying 
the authenticity of a certifying authority's digital signature provided by the host system. 

3. (original) The block-level storage device of claim 2, wherein the storage 
engine is further configured to encrypt the secure session key using a public key provided 
by the host system such that the host system can recover the secure session key only by 
decrypting the encrypted secure session key using the private key corresponding to the 
public key. 
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4. (original) The block-level storage device of claim 3, wherein the storage 
engine is further configured to re-encrypt the block of encrypted content using at least a 
second storage engine encryption key. 

5. (original) The block-level storage device of claim 4, wherein the second 
storage engine encryption key comprises a Data Encryption Standard (DES) key. 

6. (original) The block-level storage device of claim 5, wherein the DES key 
comprises a triple DES key. 

7. (original) The block-level storage device of claim 1 , wherein the storage 
engine is a hard disc storage engine and wherein the storage media is a hard disc* 

8. (original) The block-level storage device of claim 7, wherein the storage 
media is a removable hard disc, 

9. (original) The block-level storage device of claim 3, wherein the public key 
and the private key are elliptic curve cryptography keys. 

10. (original) The block-level storage device of claim 1, wherein the storage 
engine includes a random number generator for generating the secure session key. 
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1 1 . (original) A method of writing to a block-level storage device from a host 
system having a public key and a corresponding private key, comprising: 

encrypting a secure session key using the public key; 

recovering the secure session key from the encrypted secure session key using the 
corresponding private key; 

encrypting content according to a content key and commanding the block-level 
storage device to write the encrypted content to host-system-dctermined block addresses; 

encrypting the content key using the secure session key and transmitting the 
encrypted content key to the block-level storage device; and 

in the block-level storage device, decrypting the encrypted content key using the 
secure session key. 

1 2. (original) The method of claim 1 1 , further comprising: 

in the block-level storage device, encrypting the decrypted content key with a 
storage device key; and 

writing the storage-device-encrypted content key to a host-system-determined 
block address. 

1 3 . (original) The method of claim 1 1 , wherein the content comprises a file 
system object, the method further comprising: 

in the block-level storage device, encrypting the decrypted content key with a 
storage device key, and 
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writing the storage-device-encrypted content key to a storage-device-determined 
block address, 

14. (original) A system, comprising; 

a host system, the host system configured to request for file system objects stored 
by a storage device by identifying the block addresses containing a requested file system 
object and requesting the storage device to return the content stored at the identified 
block addresses, the host system being further configured to identify the file system 
object to the storage device if the requested file system object comprises secure content; 
and 

a storage device having: 

a storage medium configured to store security metadata for the secure file 
system objects; and 

a storage engine, the storage engine being configured to respond to block- 
level requests from the host system by retrieving the content stored at the requested block 
addresses from the storage medium, the storage engine being further configured to access 
the security metadata if the block-level requests correspond to content comprising a 
secure file system object. 

15- (original) The system of claim 14, wherein the security metadata includes a 
locking indicator, the storage engine being configured to prevent access to the 
corresponding file system object content if the locking indicator indicates the file system 
object is locked. 
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16. (original) The system of claim 1 5, wherein the storage engine is configured 
to change the security metadata for a secure file system object in response to an Internet 
transaction with a validated host system, 

1 7. (original) The system of claim 1 4, wherein the security metadata includes a 
play flag, the play flag indicating how many times the corresponding file system object 
may be played by the host system, the storage engine being configured to prevent access 
to the corresponding file system object if the play flag indicates that the host system has 
no remaining play rights. 

1 8. (original) The system of claim 1 7, wherein the storage engine is configured 
to erase the security metadata if the play flag indicates that the host system has no 
remaining play rights. 

19. (original) The system of claim 17, wherein the security metadata includes a 
locking indicator, the storage engine being configured to prevent access to the 
corresponding file system object content if the locking indicator indicates the file system 
object is locked, and wherein the storage engine is configured to assert the locking 
indicator if the play flag indicates that the host system has no remaining play rights. 

20. (original) The system of claim 14, wherein the security metadata includes a 
copy flag, the copy flag indicating how many times the host system may copy the 
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corresponding file system object, the storage engine being configured to prevent access to 
the corresponding file system object if the copy flag indicates that the host system has no 
remaining copy rights. 

21 . (original) The system of claim 20, wherein the storage engine is configured 
to modify security metadata for a secure file system object through an Internet transaction 
with an authorized host system. 

22. (original) The system of claim 14, wherein the storage engine is configured 
to generate a secure session key, the storage engine generating the security metadata for 
each secure file system object by receiving a corresponding encrypted content key from 
the host system, wherein the content key has been encrypted by the host system using the 
secure session key, the storage engine being further configured to decrypt the encrypted 
content key using the secure session key and to encrypt the decrypted content key with a 
first storage engine encryption key and to write the storage-engine-encrypted content key 
to the storage medium. 

23. (original) A system, comprising: 

a host system, the host system being configured to request for non-secure file 
system objects by identifying the block addresses corresponding to the non-secure file 
system object and to request for secure file system objects by identifying the file system 
object; and 

a storage device having: 

Page 15 of 19 

PAGE 17/24 * RCVD AT 5/23/2007 3:1 1 :03 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-2/16 * DNIS:2738300 * CSID:d497527049 1 DURATION (mm-ss):06-38 



■05-23-' 07 12:13 FROM-MKC&H LLP 9497527049 T-670 P018/024 F-409 

M-15255 US 
10/696,077 

a storage medium configured to store security metadata for the secure file 
system objects; and 

a storage engine, wherein the storage engine is configured to control the 
file system used to store secure and non-secure file system objects on the storage 
medium, the storage engine being further configured to respond to block-level requests 
for non-secure file system objects by translating the block-level requests from the host 
system to byte-level offsets within a file system object on the storage medium, the 
storage engine being further configured to control the file system associated with secure 
file system objects by determining where secure file system objects will be stored on the 
storage medium and where the corresponding security metadata will be stored on the 
storage medium. 

24. (original) The system of claim 23, wherein the storage engine is a hard disc 
Storage engine and wherein the storage media is a hard disc. 

25. (original) The block-level storage device of claim 24, wherein the storage 
media is a removable hard disc. 

26. (original) The system of claim 23, wherein the security metadata includes a 
locking indicator, the storage engine being configured to prevent access to the 
corresponding file system object content if the locking indicator indicates the file system 
object is locked. 
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27. (original) The system of claim 23, wherein the security metadata includes a 
play flag, the play flag indicating how many times the corresponding file system object 
may be played by the host system, the storage engine being configured to prevent access 
to the corresponding file system object if the play flag indicates that the host system has 
no remaining play rights. 

28. (original) The system of claim 23, wherein the security metadata includes a 
copy flag, the copy flag indicating how many times the host system may copy the 
corresponding file system object, the storage engine being configured to prevent access to 
the corresponding file system object if the copy flag indicates that the host system has no 
remaining copy rights. 

29. (original) A block-level storage device, comprising: 
a storage medium; and 

a storage engine, the storage engine being configured to respond to block-level 
non-secure content requests, block-level secure content requests, and block-level security 
metadata requests from a host system, the storage engine being further configured to, in 
response to a security metadata request, generate a secure session key and to receive an 
encrypted content key from the host system, wherein the content key has been encrypted 
by the host system using the secure session key. the storage engine being further 
configured to decrypt the encrypted content key using the secure session key and to 
encrypt the decrypted content key with a first storage engine encryption key and to write 
the storage-engine-encrypted content key to the storage medium. 
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30. (original) The block-level storage device of claim 29, wherein the storage 
engine includes a random number generator for generating the secure session key, 

3 1 . (Currently amended) The block-level storage device of claim 22, wherein the 
storage engine is configured to receive a public key from the host system and to encrypt 
the secure session key with the public key and to send the encrypted secure session key to 
the host system, whereby the host system may recover the secure session key only 
through the use of the host system's corresponding private key. 
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